In 2023, MGM Resorts lost an estimated $100 million after a threat actor called the company's IT help desk, impersonated an employee found on LinkedIn, and convinced a technician to reset credentials. The entire breach started with a phone call and a convincing story. That story — the fabricated scenario a social engineer uses to manipulate a target — is called a pretext. And if you're searching for pretexting attack examples, you're already asking the right question, because this technique is behind some of the most damaging data breaches in recent history.

This post breaks down real-world pretexting incidents, explains how they work at a mechanical level, and gives you specific defenses that actually hold up. No theory. Just what I've seen work — and what I've seen fail.

What Is a Pretexting Attack, Exactly?

Pretexting is a social engineering technique where an attacker creates a fabricated scenario — a pretext — to trick a victim into handing over information, credentials, or access. Unlike a generic phishing email blasted to thousands, pretexting is targeted and conversational. The attacker researches you, builds a believable identity, and then engages you directly.

According to the Verizon 2024 Data Breach Investigations Report, pretexting now accounts for the majority of social engineering incidents, overtaking standard phishing in terms of median financial loss. The median loss for a business email compromise (BEC) attack — which almost always involves pretexting — hit $50,000 per incident.

The key difference between pretexting and other social engineering tactics: the attacker doesn't just send a link and hope. They build trust over time, sometimes across multiple interactions, before making their move.

Pretexting Attack Examples That Made Headlines

Let's get specific. These aren't hypotheticals — they're documented incidents that show how pretexting operates across different industries and attack surfaces.

The MGM Resorts Breach (2023)

I already mentioned this one, but the details are worth examining. The Scattered Spider group identified an MGM employee on LinkedIn, called the IT help desk posing as that employee, and successfully convinced a technician to reset the account's multi-factor authentication. From there, the attackers escalated privileges, deployed ransomware across the environment, and caused operational chaos across MGM's Las Vegas properties for over a week.

The pretext was simple: "Hi, I'm locked out of my account. Can you help me reset it?" That's it. No malware. No zero-day exploit. Just a well-researched phone call.

The Ubiquiti Networks Wire Transfer (2015)

Ubiquiti Networks disclosed that attackers impersonated executives and targeted the company's finance department using spoofed emails. The pretext was a confidential acquisition that required urgent wire transfers. Employees, believing they were following instructions from senior leadership, transferred $46.7 million to overseas accounts controlled by the threat actors.

This is textbook BEC pretexting. The attacker studied the company's hierarchy, mimicked executive communication styles, and created urgency around a plausible business scenario.

The Twitter VIP Attack (2020)

In July 2020, attackers called Twitter employees posing as internal IT staff. They claimed they needed credentials for an internal tool. Using the access they gained, they took over high-profile accounts including Barack Obama, Elon Musk, and Apple, posting cryptocurrency scam messages. The attackers were teenagers. The pretext was a routine IT support call.

Twitter later confirmed in SEC filings that the attackers used phone-based social engineering — pretexting — to obtain employee credentials, which led to the compromise of internal admin tools.

The RSA SecurID Breach (2011)

RSA, one of the most prominent security companies in the world, was compromised after employees received emails with the subject line "2011 Recruitment Plan." The attached Excel spreadsheet contained a zero-day exploit, but the real weapon was the pretext: an internal HR document relevant to the recipients' roles. Employees opened it because it looked like something they'd normally receive. The resulting breach compromised RSA's SecurID tokens and affected defense contractors downstream.

The Retool Breach (2023)

Attackers sent SMS phishing messages to Retool employees, pretending to be from the IT department and directing them to a fake login portal. When one employee engaged, the attacker followed up with a phone call impersonating an IT team member, talked the employee through a fake identity verification process, and obtained a multi-factor authentication code. The pretext combined urgency ("your account is at risk") with authority ("I'm from IT"). The attackers gained access to internal admin tools and compromised customer accounts.

The Anatomy of Every Pretext: 5 Elements Attackers Use

After studying dozens of these incidents, I see the same five building blocks in every successful pretexting attack:

  • Research: The attacker gathers intelligence from LinkedIn, company websites, social media, and data broker sites. They know your name, your role, your boss's name, and your recent projects.
  • Identity fabrication: They become someone you'd trust — a colleague, a vendor, an IT technician, an executive, a bank representative.
  • Context creation: They build a plausible scenario. An acquisition. A password reset. An audit. A delivery issue. Something that fits your daily work.
  • Urgency or authority: They apply pressure. "The CFO needs this done before end of day." "Your account will be locked in 30 minutes." This short-circuits critical thinking.
  • The ask: Finally, they request the thing they actually want — a credential, a wire transfer, a file, an MFA code, or physical access to a building.

Every one of the pretexting attack examples above follows this pattern. Once you see it, you start recognizing it in real time.

Pretexting vs. Phishing: What's the Difference?

This is a question I get constantly, so let me be precise.

Phishing is a delivery mechanism — it's typically a mass email or message containing a malicious link or attachment. Pretexting is the story the attacker tells to make you act. You can have phishing without pretexting (a generic "your package is delayed" email) and pretexting without phishing (a phone call from a fake IT technician).

In practice, the most dangerous attacks combine both. The Retool breach used SMS phishing as the initial vector and pretexting via phone call to close the deal. The RSA breach used email phishing with a pretexted lure document. When threat actors layer these techniques, detection gets much harder.

Why Pretexting Bypasses Technical Controls

Here's the uncomfortable truth: pretexting attacks don't trip most of your security stack. Your firewall won't block a phone call. Your email gateway might catch a phishing link, but it won't flag a well-written BEC email with no attachment and no URL. Your endpoint detection won't alert on an employee voluntarily typing their credentials into a fake portal.

The FBI's Internet Crime Complaint Center (IC3) reported that BEC — which is predominantly pretexting-driven — caused over $2.9 billion in reported losses in 2023 alone. That's more than ransomware. More than credential theft through technical exploits. More than any other single category of cybercrime.

Pretexting targets the one layer you can't patch: human judgment. That's why cybersecurity awareness training isn't a nice-to-have — it's the primary control against this threat.

How to Defend Against Pretexting Attacks in 2026

Knowing real pretexting attack examples is step one. Here's what actually reduces your risk:

1. Build a Verification Culture

Every request for credentials, wire transfers, access changes, or sensitive data should trigger an out-of-band verification step. If someone calls claiming to be from IT, your employee hangs up and calls IT directly using a known number. If an email from the CFO requests a transfer, your finance team confirms via a separate channel — not by replying to the email.

This sounds simple. In practice, it requires relentless reinforcement. People default to being helpful. You need to train them that verifying isn't rude — it's required.

2. Run Realistic Phishing Simulations

Generic simulations with obvious bait don't prepare your team for a targeted pretext. You need simulations that mirror real attack techniques: spoofed executive emails requesting urgent action, fake IT calls, SMS-based lures tied to current events.

Organizations using phishing awareness training programs that include pretexting scenarios see measurable reductions in click-through and compliance rates on simulated attacks. The key is frequency and realism — quarterly simulations at minimum.

3. Implement Phishing-Resistant MFA

The MGM and Retool breaches both succeeded because attackers socially engineered their way past multi-factor authentication. SMS codes and push notifications are vulnerable to pretexting. Hardware security keys (FIDO2/WebAuthn) are not — there's nothing for the victim to read over the phone or type into a fake site.

If you haven't moved to phishing-resistant MFA for your critical systems, you're leaving the door open to exactly the attacks described in this post.

4. Apply Zero Trust Principles

Zero trust architecture assumes no user or device should be automatically trusted, even inside the network. This limits the blast radius when a pretexting attack succeeds. If an attacker obtains one set of credentials, zero trust ensures those credentials don't provide lateral movement to critical systems.

The CISA Zero Trust Maturity Model provides a practical framework for implementation. Start with identity verification and microsegmentation — they directly counter the escalation patterns seen in pretexting-driven breaches.

5. Restrict Public Information Exposure

Every pretexting attack starts with reconnaissance. The more your employees share publicly — organizational charts, project details, travel schedules, technology stacks — the richer the pretext an attacker can build. Audit what your organization exposes on LinkedIn, your corporate website, and social media. Train employees to think of public information as attack surface.

6. Establish Wire Transfer Protocols

For finance teams specifically, implement mandatory dual-authorization for any transfer above a defined threshold. Require verbal confirmation from a known individual using a known phone number. Never allow changes to banking details based solely on email instructions. The Ubiquiti case would have been prevented by this single control.

What Makes Pretexting So Effective in 2026?

Generative AI has dramatically lowered the barrier to entry. Threat actors now use AI to draft flawless BEC emails without the grammar mistakes that used to be red flags. They use voice cloning to impersonate executives on phone calls. They use AI to scrape and synthesize publicly available data into detailed target profiles in seconds.

The pretexting attacks of 2026 are more convincing, more personalized, and harder to detect than anything we saw even two years ago. This is why security awareness isn't a one-time checkbox — it requires continuous training that evolves with the threat landscape.

Your Employees Are the Perimeter

Every one of the pretexting attack examples in this post succeeded because a human made a reasonable decision based on bad information. They weren't careless. They weren't ignorant. They were manipulated by someone who understood how trust works and exploited it methodically.

Your technical controls matter. Your policies matter. But the single most impactful investment you can make against pretexting is training your people to recognize the patterns — the urgency, the authority claims, the requests that bypass normal process — and giving them explicit permission to pause, verify, and push back.

Start with a comprehensive security awareness training program that covers social engineering beyond basic email phishing. Layer in targeted phishing simulation exercises that test your team against realistic pretexting scenarios. Measure results. Repeat.

The attackers are investing in better pretexts every day. The question is whether your organization is investing in better defenses at the same pace.